Security implications of the corporate telephony shift

New solutions offer many benefits, but come with risks which need to be accounted for.

In the workplace, it is fair to say that telephony has been truly disrupted. Businesses are moving away from Circuit Switched networks (PSTN/TDM) to SIP-based (Session Initiation Protocol) networks (SIP). This migration is being driven by a simple value dynamic: traditional legacy systems (TDM) are outdated in what they offer. Innovative, cost effective options, such as SIP, deliver increased flexibility, cost savings and service.    

From modest beginnings fifteen years ago, SIP has matured considerably and is quickly becoming the standard in service provider and enterprise communication networks. The flexibility enabled by SIP helps enterprises make the most of the changes taking place in the workplace and meet the increasing demands for new forms of real-time communications (RTC). Businesses accept that SIP provides a connectivity that is resilient, flexible and easier to scale. However, just as SIP adoption grows, so does the vulnerable surface area offered to attackers. 

What’s driving SIP adoption?

If you consider the average millennial coming into work, they don’t expect perform a nine to five job. In turn companies are offering greater flexibility through work from home initiatives. Since remote working is now the rule, not the exception, companies need to draw their employees in virtually from numerous locations.    

Adding to this dynamic is the rise of Bring Your Own Device (BYOD) initiatives. Employees are increasingly bringing their own devices into the workplace, which presents a challenge to all types of organisations as they adopt appropriate security and interoperability measures. The risk of data loss, abuse and compromises to security prevail.    

Combined, remote working and BYOD workplace environments create one of the strongest use cases for SIP-based Unified Communications. This allows businesses to adopt virtual user models, optimise office space, and appear ‘always on’ for employees and customers.

The dynamic of SIP attack

Unlike traditional PBX infrastructure which is a dedicated voice network, SIP telephony leverages the data network, meaning it no longer has ‘walled’ protection. With SIP, RTC apps such as voice, video, and chat become data applications. And without appropriate security measures in place, networks could be opened to hackers. This exposes a business's technology, data, privacy, and compliance to attack threats.   

To a hacker, SIP can represent numerous doors and windows, slightly ajar. There are multiple avenues of attack through SIP, some at the IP or protocol layer and some at the voice application layer. As endpoints become more distant from the core network, it is harder to control access. In addition to this, a large amount of SIP communication traffic is carried by remote workers over the public internet and across unsecure Wi-Fi connections (such as hotspots at cafes or in homes). The productivity of employees working off-site relies on this access, but the associated security risks must be understood and addressed to make it worthwhile.   

In addition to conventional threats that have long existed with PBXs, including tampering and eavesdropping, SIP exposes the network to new threats, several of which can be debilitating and costly for an entire business.    

With the growth of SIP, phone system attacks are becoming more common. Hackers are looking for new ways to access valuable corporate data, and when they figure it out their attacks become more targeted and bold. Currently, access over SIP is perceived to post only a limited financial risk. However, organisations couldn’t be more wrong. For 2015, the Communications Fraud Control Association (CFCA) estimated global losses for communications fraud at more than $38 billion. 

To put that into perspective, global credit card fraud is estimated at a little over $16 billion each year. And while some organisations rely on firewalls for protection, even advanced next-generation firewalls are not designed to protect SIP endpoints. So, what should companies do?  

Adopting a zero trust security model by planning ahead

Whilst it is important to be able to respond quickly to any attack that results in a compromised or reduced quality of service, it is best to be able to mitigate in the first place.    

The highest level of threats to a SIP network are denial of service on RTC ports, telephony denial of service, theft of service (or toll fraud) and network penetration. Just as enterprises save (and hopefully grow) through more innovative RTC they need to invest in newer, more secure technologies that block against hackers.    

There is no question that use of session border controllers (SBCs) has grown in the past years. These powerful devices, which come in both hardware and virtual forms, should be your first layer of protection against SIP-based attacks. Unlike firewalls, SBCs secure the IP ports used in SIP and in RTC – protecting Unified Communications. SBCs also go beyond network level security and deliver a rich set of capabilities designed to secure RTC, including media and signalling encryption, malformed packet detection, call admission and overload controls, white/grey/blacklisting and network topology hiding. All of which keep hackers from learning more about a corporate network. Businesses thinking of migrating to a SIP-based network would be wise to seek out the advice of an SBC expert, who understands the relationship between security and RTC.    

As businesses seize the opportunities offered by IP to improve their RTC, the opportunity for hackers to access and steal services increases. Corporate theft and disruption over voice networks is not new, but it’s an increasingly prevalent issue.    

Improving quality of service, reducing the cost of ownership and offering up better ways of working through IP is important, but this must be done by adopting holistic security measures first. As businesses migrate to any new technology, hackers will naturally prey on vulnerabilities. Without a planned and sustained approach, hackers will keep pinging on the network to find new points of entry, because they know all too well: SIP can be highly vulnerable if not secured.

Image source: Shutterstock/violetkaipa
Matt Hurst, Technical Director,
Sonus

ABOUT THE AUTHOR

Matt Hurst, Technical Director, Sonus has over 10 years of experience working closely within the UC community, assisting partners and customers understand and realise the potential of Unified Communications.